containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4781 from haircommander/seccomp-profile-root 

play kube: make seccomp handling better conform to k8s
This commit is contained in:
OpenShift Merge Robot 2020-01-07 22:13:03 +01:00 committed by GitHub
parent bd3d8f4e28 b6792b61de
commit c41fd09a8d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 31 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/podman/cliconfig/config.go
View File

@ -314,6 +314,7 @@ type KubePlayValues struct {
Quiet bool Quiet bool
SignaturePolicy string SignaturePolicy string
TlsVerify bool TlsVerify bool
SeccompProfileRoot string
} }
type PodCreateValues struct { type PodCreateValues struct {

3
cmd/podman/play_kube.go
View File

@ -28,6 +28,8 @@ var (
}, },
Example: `podman play kube demo.yml`, Example: `podman play kube demo.yml`,
} }
// https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
defaultSeccompRoot = "/var/lib/kubelet/seccomp"
) )
func init() { func init() {
@ -46,6 +48,7 @@ func init() {
flags.StringVar(&playKubeCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&playKubeCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys")
flags.StringVar(&playKubeCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") flags.StringVar(&playKubeCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
flags.BoolVar(&playKubeCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") flags.BoolVar(&playKubeCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")
flags.StringVar(&playKubeCommand.SeccompProfileRoot, "seccomp-profile-root", defaultSeccompRoot, "Directory path for seccomp profiles")
markFlagHidden(flags, "signature-policy") markFlagHidden(flags, "signature-policy")
} }
} }

1
completions/bash/podman
View File

@ -2672,6 +2672,7 @@ _podman_play_kube() {
--quiet --quiet
-q -q
--tls-verify --tls-verify
--seccomp-profile-root
" "
case "$cur" in case "$cur" in

4
docs/source/markdown/podman-play-kube.1.md
View File

@ -40,6 +40,10 @@ value can be entered. The password is entered without echo.
Suppress output information when pulling images Suppress output information when pulling images
**--seccomp-profile-root**=*path*
Directory path for seccomp profiles (default: "/var/lib/kubelet/seccomp"). (Not available for remote commands)
**--tls-verify**=*true|false* **--tls-verify**=*true|false*
Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,

20
pkg/adapter/pods.go
View File

@ -8,6 +8,7 @@ import (
"io" "io"
"io/ioutil" "io/ioutil"
"os" "os"
"path/filepath"
"strings" "strings"
"github.com/containers/buildah/pkg/parse" "github.com/containers/buildah/pkg/parse"
@ -597,7 +598,7 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
volumes[volume.Name] = hostPath.Path volumes[volume.Name] = hostPath.Path
} }
seccompPaths, err := initializeSeccompPaths(podYAML.ObjectMeta.Annotations) seccompPaths, err := initializeSeccompPaths(podYAML.ObjectMeta.Annotations, c.SeccompProfileRoot)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -847,7 +848,8 @@ func (k *kubeSeccompPaths) findForContainer(ctrName string) string {
// initializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp // initializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp
// it parses both pod and container level // it parses both pod and container level
func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, error) { // if the annotation is of the form "localhost/%s", the seccomp profile will be set to profileRoot/%s
func initializeSeccompPaths(annotations map[string]string, profileRoot string) (*kubeSeccompPaths, error) {
seccompPaths := &kubeSeccompPaths{containerPaths: make(map[string]string)} seccompPaths := &kubeSeccompPaths{containerPaths: make(map[string]string)}
var err error var err error
if annotations != nil { if annotations != nil {
@ -863,7 +865,7 @@ func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, e
return nil, errors.Errorf("Invalid seccomp path: %s", prefixAndCtr[0]) return nil, errors.Errorf("Invalid seccomp path: %s", prefixAndCtr[0])
} }
path, err := verifySeccompPath(seccomp) path, err := verifySeccompPath(seccomp, profileRoot)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -872,7 +874,7 @@ func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, e
podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey] podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey]
if ok { if ok {
seccompPaths.podPath, err = verifySeccompPath(podSeccomp) seccompPaths.podPath, err = verifySeccompPath(podSeccomp, profileRoot)
} else { } else {
seccompPaths.podPath, err = libpod.DefaultSeccompPath() seccompPaths.podPath, err = libpod.DefaultSeccompPath()
} }
@ -885,7 +887,7 @@ func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, e
// verifySeccompPath takes a path and checks whether it is a default, unconfined, or a path // verifySeccompPath takes a path and checks whether it is a default, unconfined, or a path
// the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp // the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
func verifySeccompPath(path string) (string, error) { func verifySeccompPath(path string, profileRoot string) (string, error) {
switch path { switch path {
case v1.DeprecatedSeccompProfileDockerDefault: case v1.DeprecatedSeccompProfileDockerDefault:
fallthrough fallthrough
@ -894,13 +896,9 @@ func verifySeccompPath(path string) (string, error) {
case "unconfined": case "unconfined":
return path, nil return path, nil
default: default:
// TODO we have an inconsistency here parts := strings.Split(path, "/")
// k8s parses `localhost/<path>` which is found at `<seccomp_root>`
// we currently parse `localhost:<seccomp_root>/<path>
// to fully conform, we need to find a good location for the seccomp root
parts := strings.Split(path, ":")
if parts[0] == "localhost" { if parts[0] == "localhost" {
return parts[1], nil return filepath.Join(profileRoot, parts[1]), nil
} }
return "", errors.Errorf("invalid seccomp path: %s", path) return "", errors.Errorf("invalid seccomp path: %s", path)
} }

11
test/e2e/play_kube_test.go
View File

@ -358,10 +358,11 @@ var _ = Describe("Podman generate kube", func() {
ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName
ctr := getCtr(withCmd([]string{"pwd"})) ctr := getCtr(withCmd([]string{"pwd"}))
err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost:"+jsonFile)), kubeYaml) err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile))), kubeYaml)
Expect(err).To(BeNil()) Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) // CreateSeccompJson will put the profile into podmanTest.TempDir. Use --seccomp-profile-root to tell play kube where to look
kube := podmanTest.Podman([]string{"play", "kube", "--seccomp-profile-root", podmanTest.TempDir, kubeYaml})
kube.WaitWithDefaultTimeout() kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0)) Expect(kube.ExitCode()).To(Equal(0))
@ -378,13 +379,15 @@ var _ = Describe("Podman generate kube", func() {
fmt.Println(err) fmt.Println(err)
Skip("Failed to prepare seccomp.json for test.") Skip("Failed to prepare seccomp.json for test.")
} }
defer os.Remove(jsonFile)
ctr := getCtr(withCmd([]string{"pwd"})) ctr := getCtr(withCmd([]string{"pwd"}))
err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost:"+jsonFile)), kubeYaml) err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile))), kubeYaml)
Expect(err).To(BeNil()) Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) // CreateSeccompJson will put the profile into podmanTest.TempDir. Use --seccomp-profile-root to tell play kube where to look
kube := podmanTest.Podman([]string{"play", "kube", "--seccomp-profile-root", podmanTest.TempDir, kubeYaml})
kube.WaitWithDefaultTimeout() kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0)) Expect(kube.ExitCode()).To(Equal(0))